In conventional system administration of a computer system, an all powerful system administrator authenticates using a password at a console and issues commands and edits files to create other users, establish their access rights, and perform maintenance. Some utilities can be permitted by such a system administrator to allow remote access. Little or no record is kept of changes and the “superuser” can remove or modify any records.
Historically, to establish security of computer systems the first step is physical and network isolation. Users must have passwords and there are ways to make passwords “stronger” by following certain rules.
Security policies which may encourage stronger passwords include the following: enforcing a minimum length of the password; allowing a maximum time for a password before it is changed; checking a password against a dictionary so that no words can be found that are normal language words; requiring that a password be composed of a mix of numbers and letters; requiring that the user mix upper and lower case text; and hashing a user selected password into a pseudorandom password of longer length.
Administrators of systems may take certain actions to protect their systems such as denying the ability to remotely log into a system from other than the console. Users may be defined to have a limited number of commands available to them or have certain access control levels set for directories and subdirectories. Rather than defining the commands and access controls for each user, users may be assigned to profiles and the profiles defined ahead of time for certain access to files or commands.
Between two computer systems there are a number of ways of controlling access. One way is to define one computer system as the client of another which is considered to be a server. A secure socket layer protocol can provide some confidentiality in identifying the server and encrypting the traffic between the client and the server. Web browsers on the clients and Web servers on the server can support a secure socket layer protocol but the forms or pages must be defined to take advantage of SSL.
Even stronger security is provided through some two-part authentication method. This could be a physical key such as a flash drive or a fingerprint reader and a password. More convenient is the use of a public key associated with a private key. By storing a public-key in a directory at a server and a private key with a client, a secure shell SSH can provide a tunnel through a firewall.
Definition List 1TermDefinitionStrong passwordsFor a password to be strong, it should:Be long. Because of the way passwords areencrypted, the most secure passwords areseven or 14 characters long.Contain characters from each of thefollowing groups:1. Letters (uppercase and lowercase)2. Numerals3. Symbols (all characters not defined asletters or numerals)Be significantly different from priorpasswords.Not contain a user name.Not be a common word or name.Passwords can be the weakest link in acomputer security scheme. Strong passwordsare important because password crackingtools continue to improve and the computersused to crack passwords are more powerfulthan ever. Network passwords that once tookweeks to crack can now be cracked in hours.Password cracking software uses one of threeapproaches: intelligent guessing, dictionaryattacks, and automation that tries everypossible combination of characters. Givenenough time, the automated method cancrack any password. However, it still can takemonths to crack a strong password.rloginrlogin is a utility that allows users to log invia a network.Logged-in users can act as if they werephysically present at the computer. rlogin ismost commonly deployed on networks whereuser account information is shared.rlogin has a serious security problem:All information, including passwords, istransmitted unencrypted (making itvulnerable to interception).SuperuserThe super user with unrestricted access to allsystem resources and files is the user namedroot. This user has supreme privileges andmay add new users.SudoThe sudo utility allows users defined in aconfiguration file to have temporary access torun commands they would not normally beable to due to file permission restrictions.SSLSecure Sockets Layer, is a protocol developedby for transmitting private documents. SSLuses a cryptographic system that uses twokeys to encrypt data —a public key known toeveryone and a private or secret key knownonly to the recipient of the message. ManyWeb sites use the protocol to obtainconfidential user information.httpHypertext Transfer Protocol (HTTP) is acommunications protocol used to transfer orconvey information. Its original purpose wasto provide a way to publish and retrieveHTML hypertext pages. HTTP is arequest/response protocol between clientsand servers.SSHSecure Shell or SSH is a network protocol thatallows data to be exchanged over a securechannel between two computers. Encryptionprovides confidentiality and integrity of data.SSH uses public-key cryptography toauthenticate the remote computer and allowthe remote computer to authenticate theuser, if necessary.SSH is typically used to log into a remotemachine and execute commands, but it alsosupports tunneling, forwarding arbitraryports and connections; it can transfer files.FirewallA firewall is a hardware or software devicewhich is configured to permit, deny, or proxydata through a computer network which hasdifferent levels of trust. A firewall's basic taskis to transfer traffic between computernetworks of different trust levels.NATNetwork Address Translation (NAT, alsoknown as Network Masquerading, NativeAddress Translation or IP Masquerading)involves rewriting the source and/ordestination addresses of IP packets as theypass through a Router or firewall. Mostsystems using NAT do so in order to enablemultiple hosts on a private network to accessthe Internet using a single public IP address.Since NAT depends on a machine on the localnetwork to initiate any connection to hostson the other side of the router, and preventsmalicious activity initiated by outside hostsfrom reaching those local hosts it is a barrierto remote support.SSH-RSpecifies that the given port on the remoteport:host:hostport(server) host is to be forwarded to the givenhost and port on the local side. Whenever aconnection is made to this port, the connectionis forwarded over the secure channel,and a connection is made to host porthostport from the local machine.Unix domainA socket is a communication mechanism.socketUnix domain socket (UDS) or IPC socket(inter-process communication socket) is avirtual socket, similar to an internet socketthat is used for inter-processcommunication.ApplianceA computer software device which provides anarrow range of functions that are generallyrun with limited user interface and packagestogether application and operating systemcapabilities. Embodiments of an applianceinclude an applications specific integratedcircuit with some basic configuration by auser and deeper privileged programming bythe manufacturer. Another embodiment is ageneral purpose computer with a newoperating system that integrates anapplication into the operating system.Another embodiment is a software appliancewith conventional hardware and operatingsystem but where the user cannot accessanything but the application interface andwhere the underlying architecture isessentially invisible. Another embodiment isa virtual appliance or virtual softwareappliance using a software stack within acomputer adapted to operate as a number ofvirtual machines. Typically a virtualappliance will have a limited user interface toconfigure the inner workings of the appliancewhich is built to host a single application.
Current challenges—A solution for the explosive growth of Internet connected devices which stresses the Internet protocol address space is to provide an apparatus or means for network address translation at the intersection of local area networks with the Internet. This alone hides the actual IP address of Internet connected devices. Also for protection against malicious users and software, local area networks are protected by firewalls which are either apparatus or methods tangibly embodied as programs running on a computer.
As the number of users grow in every locality there is a need for global installation of Internet infrastructure. In many cases this infrastructure is installed in locations where there are not highly skilled system and network administrators. Furthermore the operations of systems on the Internet frequently span the local workday and require 24×7 support most conveniently provided from several time zones remote to the installation of an Internet appliance.
Economically it is also efficient to outsource the maintenance of Internet connected devices to specialists at distant locations. This role may be distributed among software or hardware vendors their added value added resellers and to their distribution channel partners. One or more of these may provide different levels of support and maintenance. However it always remains the responsibility of the owner of the Internet connected device to control his asset. Over time the business relationships and locations of support organizations may change for economic reasons or for strategic reasons.
Remote support is most likely to be provided not only by non-employees of the owner but even subcontractors of the vendor the owner has chosen to do business with and whose contracts may expire. Therefore users who are authorized to have access to an Internet appliance during one contract may change in another.
It is important when dealing with distant parties who are providing an arms length service that there be provisions for logging their activity and recovering from errors or malicious changes. Because there are three or more parties involved and the opportunity for a diluted responsibility it is desirable to use some concepts of process automation to efficiently ensure that services are provided in a timely manner and maintain traceability of action or inaction.                Thus it can be appreciated that what is needed is a way to improve security and simplicity in connecting a remote support technician to an Internet appliance which is protected behind a firewall or network address translation means in addition to physical inaccessibility. Improved security would mean positive identification of each end of the connection, multiple levels of privileged access, a record of the changes, and limited time period for the access. Simplicity would be measured in the number of actions that the appliance owner needs to understand and execute to remain in control of his asset.        